Provisioning a user identity for an organization's computing environment can include creating a user's identity and assigning rules, roles, or permissions to that identity. This process can involve creating a directory account and providing the account with the correct permissions to ensure that the user has appropriate access to the resources and applications he or she needs for day-to-day tasks. For example, in the Windows® world, provisioning often includes creating an account in Active Directory® (AD), a mailbox account in Microsoft® Exchange™, and assignment to the various distribution lists and groups required by the user's role in the organization.
Organizations tend to provision many different target systems. Some examples of target systems include human resources (HR) management systems, ERP (enterprise resource planning) systems, any number of Web portals and applications, various directories that control access to different types of resources such as servers and databases, phone systems, and so on. Although some steps, such as provisioning the phone system, might be unavoidably separate, others represent a frustrating redundancy because a single user's identity may need to be provisioned multiple times on multiple target systems with multiple processes to create the right access. If a company has already settled on AD as its authoritative directory, it can be frustratingly inefficient to also be required to provision user accounts across all the systems and applications that do not leverage the AD identity for access. Moreover, the provisioning process can continue as user's roles and authorizations change or as users leave the organization.
Every provisioning action consumes time, creates another point that may have to be audited for compliance requirements, and is another opportunity for human error. The result is significant time and money spent correcting provisioning errors—assuming the errors are even discovered.